We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC 9110 specifies that only the following characters are allowed within header names:
field-name = token token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ; any VCHAR, except delimiters
Grizzly HTTP does not enforce this rule.
1. I think Grizzly should follow this convention for header names.
Consider the following payload: GET / HTTP/1.1\r\nHost: a\r\nIgnore\r\nMy-Header: m\r\n\r\n.
GET / HTTP/1.1\r\nHost: a\r\nIgnore\r\nMy-Header: m\r\n\r\n
Grizzly's HTTP parser sees this payload as two requests, like so:
GET / HTTP/1.1\r\n Host: a\r\n Ignore\r\nMy-Header: m\r\n \r\n
However, some HTTP parsers (e.g. Nginx, Libsoup, cpp-httplib) see only request, like so:
GET / HTTP/1.1\r\n Host: a\r\n Ignore\r\n My-Header: m\r\n \r\n
This happens because these parsers either ignore or permissively parse field-lines with no ':', so they see a My-Header header where Grizzly didn't.
2. I think it would be good for compatibility if, when parsing headers, it ignored incomplete field-lines like other parsers do.
The text was updated successfully, but these errors were encountered:
Issue eclipse-ee4j#2212 Enhances validation of HTTP header names
ed2eba1
098eb0f
No branches or pull requests
RFC 9110 specifies that only the following characters are allowed within header names:
Grizzly HTTP does not enforce this rule.
1. I think Grizzly should follow this convention for header names.
Consider the following payload:
GET / HTTP/1.1\r\nHost: a\r\nIgnore\r\nMy-Header: m\r\n\r\n
.Grizzly's HTTP parser sees this payload as two requests, like so:
However, some HTTP parsers (e.g. Nginx, Libsoup, cpp-httplib) see only request, like so:
This happens because these parsers either ignore or permissively parse field-lines with no ':', so they see a My-Header header where Grizzly didn't.
2. I think it would be good for compatibility if, when parsing headers, it ignored incomplete field-lines like other parsers do.
The text was updated successfully, but these errors were encountered: